By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Direct SAML to Managed Grafana from Auth0 issue

0

I am having trouble using Auth0 as SAML to work with Managed Grafana.
I followed this: https://auth0.com/docs/customize/integrations/aws/configure-amazon-web-services-for-sso but that is not directly to AMG. My setup:

Using my AMG workspace, set to use both Identity Center and SAML.

Auth0 settings: { "audience": "i used AMG Service provider identifier (Entity ID)", "destination": "I used AMG Service provider reply URL (Assertion consumer service URL)", "mappings": { "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" }, "createUpnClaim": false, "passthroughClaimsWithNoMapping": false, "mapUnknownClaimsAsIs": false, "mapIdentities": false, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ] }

CALLBACK URL = Service provider reply URL (Assertion consumer service URL)

I did import idP metadata.

Mapping Assertion I use: Assertion attribute role = email Admin role values = to the email address of the user i setup in Auth0 If I test from Auth0 using Identity Provider Login URL, error is: {"message":"corresponding relay state is not found: "}

If I test from AMG using Grafana workspace URL, error is: {"message":"Failed to obtain required user information from the assertion, make sure assertion mapping is correct."}

Any help is much appreciated please.

Topics
End User ComputingSecurity, Identity, & Compliance
Tags
Amazon WorkSpacesAWS Identity and Access Management
Language
English
rePost-User-4445203
asked a year ago744 views
1 Answer
0

I have recently solved this with the help of AWS.

follow instructions below:

  1. Copy Grafana SAML info
  2. Access your Grafana workspace config, authentication, SAML configuration
  3. Copy the values for Service provider identifier (Entity ID) and Service provider reply URL (Assertion consumer service URL)

Configure Auth0 application

  1. In Auth0 dashboard, go into Applications, Applications, Create application
  2. Regular Web Applications
  3. Addons
  4. Saml2 Web App
  5. Settings
  6. Application Callback URL: paste your Service provider reply URL (Assertion consumer service URL)
  7. Settings: see below
  8. Scroll down and select Enable
  9. Close the addon config
  10. Back in application config, click in Settings
  11. Scroll down and expand Advanced Settings
  12. Endpoints
  13. Copy SAML Metadata URL

Update Grafana SAML config

  1. Back in Grafana workspace config, authentication, SAML configuration
  2. In Metadata URL, paste the SAML Metadata URL
  3. In Assertion attribute role, insert role
  4. In admin role values, insert admin
  5. Click Save SAML configuration

Add user in Auth0

  1. In auth0, go to User Management, Users
  2. Create an user informing a valid email address and a password
  3. After creating, click in the user name to see user details
  4. Scroll down and insert the app_metadata as below

SAML2 Addon settings:

{ "audience": "Service provider identifier (Entity ID)", "mappings": { "email": "mail", "name": "displayName", "role": "role" } }

**App_metadata **(change admin to editor or viewer when needed):

{ "role": "admin" }

rePost-User-4445203
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content